This is a tutorial on Setting up Secure Shell on Cisco routers and switches. Previously we talked about how to set Telnet access to Cisco Routers and Switches.SSH is an OpenSSH SSH client used as a remote login program. It is a program for logging into a remote machine and for executing a variety of commands on a remote device. It’s a successor to Telnet and was developed with security of user data in mind.
SSH uses TCP port 22 by default to connect to a remote device.It’s intended to replace rlogin, rsh and to provide secure encrypted communications between two untrusted hosts over an insecure network. The user must prove his identity to a remote machine before he can be allowed to connect.
Secure shell uses encrypted keys to send data hence sensitive information like username and password are protected from an eavesdropper.
List of commands used for ssh on Cisco Routers and Switches
ip domain-name: Used to set domain name
crypto key generate rsa general-keys modulus : Used to generate encryption keys to be used for establishing a secure session between devices.
ip ssh time-out: Used to set maximum idler time for SSH session.
ip ssh authentication-retries: Used to set maximum number of failed login attempts for a SSH connection.
line vty : Used to choose VTY lines to configure
transport input ssh telnet: Tells the router to use ssh and then Telnet if ssh is not configured. SSH is given top priority.
We’ll use the same topology shown below that we used for Telnet Lab.
Steps to follow
We’ll setup R1 as ssh client and R2 as our ssh server.
Login local means any inbound connection trying to come in on the VTY lines, the router prompt for username and the password to validate users. We then added a user “admin” and gave him a password “password!123“. Using secret keyword encrypts the password in the configuration. transport input ssh command is used to restrict access to VTY lines to ssh. By default, both telnet and ssh are allowed on VTY lines.
Setting IP address information, hostname and domain name.
Generating RSA Keys
Note: To generate public key pair, domain name must be specified. For RSA keys, we’ll specify modulus of 1024 bits. Remember, the bigger the bit size, the tighter the security.
# config terminal
# crypto key generate rsa modulus 1024
Now it’s time to connect to R2 using R1 as ssh client.The command to do this is
ssh -l username ip-address. In our topology we’ll enter the following command on privileged mode on R1 terminal.
R1# ssh -l admin 192.168.100.2
Enter the password and you’re good to go.
Confirm that you are connected by using
R2# show tcp brief
To close ssh session, just type exit.
If you don’t have GNS3 and don’t have access to real Gear, check out our tutorial on Installing GNS3 1.2.x on Ubuntu and Linux Mint and Installing GNS3 1.2.x on Kali Linux
If you want to assure yourself that SSH do encrypt data streams, right click on the wire connecting two routers if you are on GNS3, then capture the traffic and follow TCP stream.